From 24e2c439ec405e5256024b9acefd4f7008c5ed0c Mon Sep 17 00:00:00 2001
From: Stig Palmquist <git@stig.io>
Date: Sun, 10 May 2026 19:37:58 +0200
Subject: [PATCH] CVE-2026-45191: Reject zero-padded CIDR masks

add() accepted zero-padded masks ("/00", "/032") as decimal, parsing
them to a different range than a textual filter would expect.
Incomplete fix of CVE-2021-47154, which only covered the IPv4 octet
half. Possibly allowing IP ACL bypass via find().

Assisted-by: Claude (Anthropic)
Signed-off-by: Stig Palmquist <git@stig.io>
---
 Lite.pm | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/Lite.pm b/Lite.pm
index 8b5a20c..295c345 100644
--- a/Lite.pm
+++ b/Lite.pm
@@ -37,7 +37,9 @@ sub add {
     my ($ip, $mask) = split "/", shift;
     $self->_init($ip) || confess "Can't determine ip format" unless %$self;
     confess "Bad mask $mask"
-        unless $mask =~ /\A[0-9]+\z/ and $mask <= $self->{NBITS}-8;
+        unless defined $mask
+        and $mask =~ /\A(?:0|[1-9][0-9]*)\z/
+        and $mask <= $self->{NBITS}-8;
     $mask += 8;
     my $start = $self->{PACK}->($ip) & $self->{MASKS}[$mask]
         or confess "Bad ip address: $ip";